Search results

Who needs ISO?

This decision depends primarily on who is the holder of the product, whose name will be on the product as the manufacturer.

If you are a manufacturer (license), then the manufacturer is expected to have ISO 13485 implemented. According to ISO 13485, when the manufacturer (license holder) outsources any part of the production process, this part of the process is still the manufacturer's responsibility. This means that regardless of the fact that you have outsourced that part of the production, that production must also be carried out in accordance with the requirements of ISO 13485. It doesn't matter if they will be ISO 13485 certified, or if you will make all this documentation as part of your ISO 13485 quality system. It all depends on how you agree. There must be a Quality Agreement between you and that company in which all mutual responsibilities will be described. Be prepared that regardless of your mutual agreement and the fact whether they are certified or not, there is a possibility that during your audit by a certification body, the auditor requires that an audit be conducted in that outsourced company as well. 

For more information on this topic, please see the following article:

• First-, Second- & Third-Party Audits for medical device manufacturers & suppliers - https://advisera.com/13485academy/knowledgebase/first-second-third-party-audits-for-medical-device-manufacturers-suppliers/

You can see how we designed a Quality agreement with the subcontractor in our ISO 13485:2016 Documentation toolkit:

• Quality Agreement for Subcontractor https://advisera.com/13485academy/documentation/quality-agreement-for-subcontractor/

• List of internal and external documents

  Yes, you need to have the List of internal documents. The purpose of this list is to catalogize all documents that have been created for the management system. It doesn't matter if they are in electronic or paper form. This list tells you which documents are currently in use, which version of that document is currently active, and since when. 

  External documents are all documents that come into your company and are necessary for your work. This usually includes laws and regulations, contracts with suppliers and customers, and similar.

  For more information on this subject, please see the following articles:

  • Common mistakes with ISO 13485:2016 documentation control and how to avoid them https://advisera.com/13485academy/blog/2018/03/14/common-mistakes-with-iso-134852016-documentation-control-and-how-to-avoid-them/
  • How to structure Quality Management System documentation according to ISO 13485 https://advisera.com/13485academy/knowledgebase/how-to-structure-quality-management-system-documentation-according-to-iso-13485/

  • Relation ISO, MDR and CE

    Medical devices that want to be put on the EU market must be prepared according to the requirements from the Medical device regulation (MDR, 2017/745). In this regulation are requirements both how the medical device must be designed, constructed, produced, and tested to prove its safety and performance.

    For all medical device manufacturers, it is mandatory to have implemented a quality management system (Article 10). Also, manufacturers must prove compliance with a list of harmonized standards that are published by the European Commission in the Official Journal (Article 8). There are more than 300 different standards on that list, but the only standard that covers the quality management list is ISO 13485:2016. That is why it is expected for the manufacturers on the EU market to have implemented ISO 13485:2016.

    Besides the quality management system, each medical device must have prepared technical documentation according to Annex 2 and Annex 3 of the MDR. 

    In ISO 13485:2016 there is requirement 7.1 Planning of product realization that asks form the manufacturers to document one or more processes for risk management in the product realization. ISO 14971:2019 is the standard that covers requirements regarding risk management, especially for medical devices.

    The following links are for future readings:

    • Full text of the MDR https://advisera.com/13485academy/mdr/
    • Article 8 – Use of harmonized standards https://advisera.com/13485academy/mdr/use-of-harmonised-standards/
    • EU MDR Article 10 – General obligations of manufacturers https://advisera.com/13485academy/mdr/general-obligations-of-manufacturers/
    • EU MDR Annex 2 – Technical documentation https://advisera.com/13485academy/mdr/technical-documentation/
    • EU MDR Annex 3 – technical documentation for post-market surveillance https://advisera.com/13485academy/mdr/technical-documentation-on-post-market-surveillance/
    • List of harmonised standards https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2020:090I:TOC
    • What is ISO 13485? https://advisera.com/13485academy/what-is-iso-13485/
    • How can ISO 13485 help with MDR compliance? https://advisera.com/13485academy/blog/2020/03/09/how-can-iso-13485-help-with-mdr-compliance/
    • EU MDR Checklist of Mandatory Documents https://info.advisera.com/13485academy/free-download/eu-mdr-checklist-of-mandatory-documents

    • ISO 27001 Scope change

      Please note that if all employees are accessing from home the same services and company-owned hardware they accessed when they worked in the company, then the ISMS scope does not need to be changed.

      The use of personal devices to access company’s services and owned hardware from home can be handled by means of identification of relevant risks related to the use of personal devices and to remote access, which can be treated by means of controls such as A.6.2.1 Mobile device policy, A.6.2.2 Teleworking, and A.13.2.1 Information transfer policies and procedures.

      The use of company’s owned hardware by employees from their homes can be handled by means of identification of relevant risks related to telework, which can be treated by means of controls such as A.6.2.1 Mobile device policy, A.6.2.2 Teleworking, and A.11.2.6 Security of equipment and assets off-premises

      To see how policies covering these controls look like, please take a look at these free demos:

      • Bring Your Own Device (BYOD) Policy https://advisera.com/27001academy/documentation/bring-your-own-device-byod-policy/
      • Mobile Device and Teleworking Policy template: https://advisera.com/27001academy/documentation/mobile-device-and-teleworking-policy/

      These articles will provide you a further explanation about teleworking:

      • How to write an easy-to-use BYOD policy compliant with ISO 27001 https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/
      • How to apply information security controls in teleworking according to ISO 27001 https://advisera.com/27001academy/blog/2021/10/27/how-to-use-iso-27001-to-secure-data-when-working-remotely/
      • What to include in an ISO 27001 remote access policy https://advisera.com/27001academy/blog/2019/04/23/iso-27001-remote-access-policy-how-to-develop-it/

      These materials will also help you regarding teleworking:

      • Checklist of cyber threats & safeguards when working from home (PDF) https://info.advisera.com/27001academy/free-download/checklist-of-cyber-threats-and-safeguards-when-working-from-home?.
      • ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
      • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

    • Scope definition

      1 - Clauses 4.1 and 4.2, are they based on the organization as a whole, rather than the department in scope? It seems like even clause 4.1 & 2 is a huge task, and identifies things that aren’t covered by the IT department. It seems odd to identify these issues as an organization, only to not cover them as they aren’t covered by our scope.

      Answer: Please note that for clauses 4.1 and 4.2 you need to consider the organization as a whole because if you consider only your intended scope in terms of the IT department, you may miss elements that may impact the organization’s purpose, intended Information Security Management System (ISMS) outcomes, and/or interested parties and their requirements, but are not directly related to your intended scope. 

      For example, for a web store, the purpose can be selling products, the intended outcomes for the ISMS can be the protection of data related to buyers and products, and an interested party may sales department. In this context, if the web store’s sales department needs to keep part of buyers’ data out of IT systems for some reason (e.g., regulation or contract), and the IT department is not aware of this situation, the scope may be incorrectly defined (e.g., if you want to keep only the IT department in the ISMS scope, then you need to state that buyers’ data that exists out of IT systems are out of scope).

      For further information, see:
      - How to define context of the organization according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
      - How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
      - How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

      2 - Also, in terms of interested parties, would our students count? If so, would it be over the age of consent in GDRP terms of, or all ages?

      Answer: This answer will depend on what you consider for the organization’s purpose and intended ISMS outcomes.

      For example, if the organization’s purpose and intended ISMS outcomes are related to education or customer data, then students should be considered as interested parties. Regarding GDPR, because the related information can be considered PII, the information of students of all ages must be protected if you need to comply with GDPR. What will happen is that for students under the age of consent you will need to consider additional protections.

      3 - Also, do you know if any schools or multi-academy trusts in the *** have achieved ISO27001? If not, are there any resources or information you could point me too that are focused on educational establishments that I could gain some guidance from?

      Answer: We are not aware of specifics on certifications in this industry in the country you mentioned. From 2019 ISO Survey (https://www.iso.org/the-iso-survey.html and https://isotc.iso.org/livelink/livelink?func=ll&objId=21414015&objAction=Open&nexturl=%2Flivelink%2Flivelink%3Ffunc%3Dll%26objId%3D18808772%26objAction%3Dbrowse%26viewType%3D1) you can see the number of ISO 27001 certifications issued for this industry. To know about specifics, you need to contact the certification bodies in your country and ask for this information.

      Some references you may find useful:
      - https://www.gov.uk/government/publications/school-and-college-security/school-and-college-security
      - https://www.beaming.co.uk/insights/cybersecurity-safeguarding-approach-schools/
      - https://www.ncsc.gov.uk/information/resources-for-schools

      4 - Finally, (apologies this may be oddly worded!) but as the IT department, does that just cover the processes/information used by them, or does it also mean the services/equipment the IT department provides for others to use? Such as require 2 factor authentication for staff in other departments to login to a service?

      We’re also going to purchase the documentation and support pack with you, but our ordering process can take a little while, so just wanted to get these couple of questions out in advance!

      Answer: Please note that you first need to consider if the protection of these services/equipment the IT department provides for others to use is relevant to your information security objectives. If so, you need to consider them as part of the scope of the IT department, because the implementation of controls will be focused only within the scope.

      These articles will provide you a further explanation about scope definition:
      - How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
      - Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

      These materials will also help you regarding scope definition:
      - How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
      - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
      - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

    • ISO 9001 design and development

      If your service is clearly defined and there is no innovation in it then you can consider clause 8.3 as non-applicable.

      The following material will provide you more information about exclusions:

      • What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
      • How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
      • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
      • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

    • Waste management company

      Is ISO 14001 really the best certification for your particular case?

      Everything depends on what your organization need.

      Let me try to explain, as a waste management company, I believe your organization has some kind of official qualification issued by a particular relevant authority. With that official qualification a potential client may look to your organization and think something like “OK, this company is officially qualified to do the job of collecting waste”. The point is, why should a particular potential client choose your company among several waste management companies all equally qualified by the same or equivalent particular relevant authority?

      What kind of benefits is your organization looking for? Will your brand benefit from being ISO 14001 certified? And from being ISO 9001 certified? If your company is looking for cost reduction, higher efficiency, perhaps ISO 9001 can be recommended. If your company is looking for improving image among community and the job market perhaps even ISO 45001 certification can be recommended.

      If your organization decides to go for ISO 14001, basically you have to determine how your organization interacts with the environment while collecting and managing waste. You start by determining the environmental aspects and impacts, the how your organization interacts with the environment:

      

      Each one of these interaction vectors’ is a specific type of environmental aspect.

      So, for each type of environmental aspect check where they appear, or can appear, in your organization’s activities products and services. Consider operation under normal, abnormal and emergency situation.

      You have also to determine the legislation and regulation applicable to your organization (compliance obligations). From there you determine priorities for improvement:

      

      Them you have to define an environmental policy and objectives. From there, it is implementation by developing action plans to improve the interaction with the environment.

      Then, perform an internal audit and the management review. There you can decide if your organization is ready for a certification audit.

      You can audit the entire organization or site by site. This should be discussed with potential certification bodies before starting the implementation project, sometimes they have different opinions.

      Perhaps the following links can be useful:

      • Free webinar on demand - How to use a Documentation Toolkit for the implementation of ISO 14001 - https://advisera.com/14001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-14001-free-webinar-on-demand/
      • List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
      • ISO 14001:2015 Implementation diagram - https://info.advisera.com/14001academy/free-download/iso-14001-2015-implementation-diagram
      • Project checklist for ISO 14001 implementation - https://info.advisera.com/14001academy/free-download/project-checklist-for-iso-14001-implementation
      • Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
      • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

    • Establishing context

      First is important to note that the context of the organization is any internal or external factor that can affect the ISMS.

      Considering that, concrete examples of elements of organizational context are:

      • for external issues: geographical location, public infrastructure available, political, economic, social, and technological trends, etc.
      • for internal issues: organizational culture, processes, and procedures, equipment, financial resources, etc.

      Based on these you can identify elements that can help you understand how information security must be considered.

      This article will provide you a further explanation about the Context of the organization for 27001:

      • Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/

      These materials will also help you regarding the Context of the organization for 27001:

      • Book Secure & Simple: A Small-Business Guide to Implementing ISO 2700 1 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
      • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

    • Rework procedure and Clinical evaluation for media mfg

      1. Is there a rework procedure in the tool kit? I did not see it in there and I believe it is an ISO requirement for clause 8.3.4. Thank you.

      Rework is covered in the 15_Procedure_for_Control_of_Non_Conforming_Products_Premium_EN in section 3.4 Handling non-conforming product. 

      For more information on how to handle non-conforming products, please see the following article:

      • How to comply with ISO 13485:2016 requirements for handling complaints https://advisera.com/13485academy/blog/2017/03/21/how-to-comply-with-iso-134852016-requirements-for-handling-complaints/

      2. I have a question about the clinical evaluation requirement. What exactly is needed for media manufacturer class 1 medical device? In looking at the documents in the toolkit it I am not sure if it applies.

      All requirements and topics that are covered in the folder Clinical evaluation is necessary for manufacturers of class I medical devices. So you need to make literature research about your product, make an equivalence with an existing product on the market, and make a report as described in annexes 1, 2, 3, and 4. 

      More information on the clinical evaluation you can find in the following articles in the MDR:

      • EU MDR Article 61 – Clinical evaluation https://advisera.com/13485academy/mdr/clinical-evaluation/
      • EU MDR Annex 14 – Clinical evaluation and post-market clinical follow-up https://advisera.com/13485academy/mdr/clinical-evaluation-and-post-market-clinical-follow-up/
      3. Also when is a CE mark required? How do I apply for a UDI # since we don’t currently have one?

      If your medical device is Class I, then it does not require the involvement of the notify body. In that case, you need to prepare the Self-declaration of conformity and technical file according to the Annex II Technical documentation and Annex III Technical documentation on Post-market surveillance. However, you need to contact the notify body in regards to the certification of ISO 13485:2016.

      Which elements must be in the Declaration of conformity, you can find in Annex 4 – EU Declaration of conformity.

      For more information, see:

      • EU MDR Annex II – Technical documentation https://advisera.com/13485academy/mdr/technical-documentation/
      • EU MDR Annex III – Technical documentation on Post-market surveillance https://advisera.com/13485academy/mdr/technical-documentation-on-post-market-surveillance/
      • EU MDR Annex 4 – EU declaration of conformity https://advisera.com/13485academy/mdr/eu-declaration-of-conformity-2/

      • Configuration Management Policy & Procedure

        The content of the Training & Awareness Plan needs to include needed training and awareness activities for all personnel included in the ISMS scope, not only the Internal Audit Team.

        For example, it can include basic training for regular final users and at the same time advanced security techniques for IT and SW development personnel.

        This article will provide you a further explanation about awareness and training:

        • How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

        This material will also help you regarding awareness and training:

        • Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.